JP6632796B2 - Database evaluation device, method and program, and database division device, method and program - Google Patents

Description

  The present invention relates to a database evaluation device, a method, and a program, and a database division device, a method, and a program.

  In recent years, secret information such as passwords and personal identification numbers have frequently been leaked, and a large number of damages related to unauthorized use of systems using the leaked information have been reported. Many of these cases are due to potential vulnerabilities such as human error, equipment failure, or deliberate fraud, and it is not easy to remove the root cause. For this reason, it is considered extremely difficult to reduce the risk of information leakage to zero in the future.

In particular, since many services are currently deployed on the cloud, the following are assumed as information leakage cases.
In a system on the cloud, multiple servers are virtually integrated and used, so if there is a failure or bug in some storage, or if servers of different administrator data centers are integrated, Partial incidents may occur, such as some administrators cheating. If the vulnerabilities become apparent due to those incidents, there is a possibility that secret information of some users of the system will be leaked in large quantities.
In addition, immediately after the information leak is discovered, the target user is considered to change the information early, but other users are inconvenienced by the change caused by using the same information in multiple services. , May be reluctant to change.
In addition, authentication information such as passwords and biometric information used as secret information, or many physical sources are non-uniform information in which each value does not occur uniformly. It is not easy to universally model those non-uniformities, but if we can know the secret information of some users, we can infer the bias of the secret information of other users of the system on the cloud There is. An attack using such non-uniformity of secret information can perform an attack more efficiently than a brute force attack.

  Further, as a conventional research based on the concept of functional safety in the security field, there is an attempt on a leak-resistant cryptosystem which assumes that some information is leaked about secret information due to a side channel attack or the like. In those discussions, in order to prove that the leakage-resistant cryptographic primitive is safe even in the event of information leakage, information leakage is performed using the leakage information f (x) on the secret information x formulated by the leakage function f. Is modeled for safety. For example, Non-Patent Document 1 that presents a model for partial leakage and Non-Patent Document 2 that presents a model different from Non-Patent Document 1 for partial leakage are known.

Adi Akavia, Shafi Goldwasser, V.A. V. : Simultaneous Hardcore Bits and Cryptography Against Memory Attacks, the 6th Theory of Cryptography (TCC 09), LNCS, Vol. 5444; 474-495 (2009). Duc, A .; , Dziembowski, S .; and Faust, S.M. : Unifying leakage models: from probing attacks to noisy leakage, Advances in Cryptology-EUROCRYPT 2014, LNCS, Vol. 8441 pp. 423-440 (2014).

  However, the above model assumes that only partial information of a specific user x is leaked, for example, f (x) is a part of x, and a large amount of secrets are transmitted from the system. It does not guarantee the security of information in the event of information leakage.

  Therefore, there is a demand for an apparatus that evaluates resistance to an attack model that takes into account non-uniformity of secret information when secret information of some users leaks from the system. Further, in order to minimize the influence on the confidential information of the remaining users, there is a demand for a device that divides the database so that the device to be evaluated is determined to have high security.

  The present invention provides a database evaluation device, method, and program that can evaluate the security of the remaining part when a part of the database is leaked, and that when the database is split, one of the splits leaks, It is an object of the present invention to provide a database dividing apparatus, method and program capable of dividing a database so as to be safe.

Specifically, the following solution is provided.
(1) A database evaluation device for evaluating a database, wherein a first database that is a part of the database and a second database that is a part of the database other than the first database include the first database. Estimating means for estimating a second distribution, which is the data distribution of the second database, based on the first distribution, which is the data distribution of the first database, assuming that the database has leaked, and estimating by the estimating means. An average attack success probability, which is a probability that the data selected in the estimated distribution and the data selected in the second distribution match and the attack succeeds, is used as an evaluation index, and based on the evaluation index, the database And a determination unit for determining whether or not the database is safe.

  The database evaluation device of (1) evaluates the average attack success probability, which is the probability that the data selected in the inferred distribution matches the data selected in the second distribution and succeeds in the attack, and evaluates the security of the database. And an evaluation index.

  Therefore, the database evaluation device according to (1) uses the average attack success probability as an evaluation index, so that if a part of the database is leaked, the security of the remaining part can be evaluated.

  (2) The determination means determines that the database is safe if the evaluation index is equal to or less than the probability of successful attack, assuming that the estimated distribution is a uniform distribution. The database evaluation device described in (1).

  The database evaluation device according to (2) can reliably evaluate the security of the remaining part when a part of the database is leaked.

(3) first distance calculating means for calculating a first distance between the estimated distribution and the second distribution;
A second distance calculating means for calculating a second distance between the uniform distribution and the second distribution,
The determination means may be configured such that a second order Renyi entropy of the estimated distribution is equal to or greater than a second order Renyi entropy of the second distribution, and the first distance is a certain value or more based on the second distance. The database evaluation device according to (1), wherein the database is determined to be safe in such a case.

  The database evaluation device according to (3) can more reliably evaluate the security of the remaining part when a part of the database is leaked.

  (4) A database dividing apparatus for dividing a database, wherein the first database is a part of the database and the second database is a part of the database other than the first database. The difference between the second-order Renyi entropy of the first distribution, which is the data distribution of the database, and the second-order Renyi entropy of the second distribution, which is the data distribution of the second database, is within a predetermined range, and Under the condition that the number of classes is the same when the distribution and the second distribution are represented in a histogram, the other database is based on the distribution of data contained in one of the first database or the second database. Data selected from the inferred distribution in which the distribution of the data contained in the A dividing unit that divides the database into the first database and the second database so that a probability that an attack on the other database is successful by matching data selected from the base is equal to or less than a predetermined value. , Database partitioning device.

  The database dividing device according to (4) includes: a data selected from an estimated distribution obtained by estimating a distribution of data included in the other database based on a distribution of data included in one of the first database and the second database; The database is divided into a first database and a second database so that the probability that an attack on the other database will be successful when the data selected from the database matches will be equal to or less than a predetermined value.

  Therefore, the database dividing device according to (4) can divide the database such that, even if one of the divided databases leaks when dividing the database, the other is safe.

  (5) The dividing means may be configured such that a distance between the first distribution and the second distribution is equal to or greater than a certain value based on a distance between the first distribution or the second distribution and a uniform distribution. The database dividing device according to (4), wherein the database is divided into the first database and the second database.

  Therefore, the database dividing device according to (5) can divide the database such that, even if one of the divided databases leaks when dividing the database, the other of the divided databases is surely safe.

  (6) The dividing means determines a difference between a second-order Renyi entropy of the first distribution and a second-order Renyi entropy of the second distribution and a second-order Renyi entropy of the data distribution of the database in a predetermined range, respectively. The database dividing apparatus according to (4) or (5), wherein the database is divided under the added condition of being inside.

  The database dividing device according to (6) can divide the database such that, even if one of the divided databases leaks when dividing the database, the other is safe.

  (7) The dividing means makes the number of classes when the first distribution and the second distribution are represented by a histogram equal to the number of classes when the data distribution of the database is represented by a histogram. The database dividing device according to any one of (4) to (6), wherein the database is divided under the added condition.

  The database dividing device according to (7) can divide the database so as to increase security when none of the divided databases is leaked.

  (8) The data dividing means according to any one of (4) to (7), wherein the dividing means preferentially moves a class having a large amount of change in distance between the first database and the second database by a greedy method. 2. The database division device according to 1.

  The database dividing device according to (8) can efficiently move the data between the first database and the second database so as to increase the distance between the databases.

  (9) The method executed by the database evaluation device according to (1), wherein the estimating unit includes: a first database that is a part of the database; and a part of the database other than the first database. And a second database, which is a data distribution of the second database, based on the first distribution, which is a data distribution of the first database, assuming that the first database has leaked. A guessing step of guessing, wherein the determination means determines that an average attack is a probability that the data selected in the guessed distribution estimated in the guessing step coincides with the data selected in the second distribution and the attack succeeds. Using the success probability as an evaluation index, determining whether or not the database is safe based on the evaluation index The method comprising: a step, a.

  In the method according to (9), since the average attack success probability is used as the evaluation index, when a part of the database is leaked, the security of the remaining part can be evaluated.

  (10) The method executed by the database division device according to (4), wherein the division unit includes a first database that is a part of the database, and a first database other than the first database in the database. A difference between a second-order Renyi entropy of a first distribution, which is a data distribution of the first database, and a second-order Renyi entropy of a second distribution, which is a data distribution of the second database, with respect to a second database that is a part. Within a predetermined range, and one of the first database or the second database under the condition that the number of classes is the same when the first distribution and the second distribution are represented in a histogram. Was selected from the inferred distributions in which the data distribution in the other database was inferred based on the data distribution in The first database and the second database so that the data and the data selected from the other database match and the probability of successful attack on the other database is equal to or less than a predetermined value. The method comprises a dividing step of dividing into:

  In the method according to (10), when a database is divided, even if one of the divided parts leaks, the database can be divided so that the other part is safe.

  (11) A program for causing a computer to execute each step of the method according to (9).

  The program according to (11) allows a computer to evaluate the security of the remaining part when a part of the database is leaked.

  (12) A program for causing a computer to execute each step of the method according to (10).

  The program according to (12) can cause the computer to divide the database so that even if one of the divided databases leaks when the database is divided, the other is safe.

  ADVANTAGE OF THE INVENTION According to this invention, when one part of a database leaks, the database evaluation apparatus can evaluate the security of the remaining part. The database dividing device can divide the database such that, even when one of the divided parts leaks when dividing the database, the other part is safe.

It is a block diagram showing composition of a database evaluation device and a database division device concerning one embodiment of the present invention. 6 is a flowchart illustrating an example of an evaluation process based on an evaluation index of the database evaluation device according to an embodiment of the present invention. 5 is a flowchart illustrating an example of an evaluation process based on a distance of the database evaluation device according to an embodiment of the present invention. 6 is a flowchart illustrating an example of a division algorithm of the database division device according to one embodiment of the present invention. It is a flowchart following FIG. FIG. 4 is a diagram illustrating an example of histograms of a first DB and a second DB divided by the database dividing device 20 according to an embodiment of the present invention.

  Hereinafter, embodiments of the present invention will be described with reference to the drawings.

The definitions of the second-order Renyi entropy and random variables used in the description are as follows.
Assuming that the probability function of the random variable X on the discrete set χ is p (x), the second-order Rennie entropy H ₂ (X) of X is defined by Expression (1).

  Assuming that the probability functions of the random variables X and Y on the discrete set χ are p (x) and q (x), the distance D (X, Y) between X and Y is defined by Expression (2).

  When q (x) has a uniform distribution, the distance E (X) between X and Y can be expressed by equation (3).

[Database evaluation device 10]
First, the database evaluation device 10 will be described.
If a part of the database 30 that stores the user's secret information (for example, a personal identification number, a password, and biometric information associated with the user) is leaked, the attacker can use the leaked information to obtain the remaining users. May be able to estimate the distribution of secret information. The evaluation of the security of the database evaluation device 10 against DGA (Distribution Guessing Attack), which is one of the attack models using the inferred distribution that is the inferred distribution, will be described.

The DGA attack procedure is shown in the form of a game by an attacker and a challenger.
Here, a set of users whose secret information has been leaked is U ′, and a set of secret information data of each user U ′ is W ′. Also, a set of users to be attacked is U, and a set of secret information data of each user of U is W. It is assumed that each data of W occurs according to the probability function p (x) on the set of possible values χ. Here, u ≠ u ', u∈U, and u'∈U'.
(1) The attacker estimates a probability function p (x) from W ′ obtained using an arbitrary distribution estimation algorithm Κ. At this time, the estimated distribution is defined as q (x).
(2) The challenger randomly selects the user u @ U and extracts the corresponding secret information w @ W.
(3) The attacker selects secret information x { _q } according to q (x).
(4) If x and w match, the attacker wins.

  The database evaluation device 10 evaluates security using an average attack success probability, which is a probability of successful attack, as an evaluation index for evaluating security.

  FIG. 1 is a block diagram showing a configuration of a database evaluation device 10 and a database division device 20 according to an embodiment of the present invention. The database evaluation device 10 includes an estimating unit 11, a determining unit 12, a first distance calculating unit 13, and a second distance calculating unit 14. Each means will be described in detail.

  The estimating means 11 estimates, based on the distribution of the leaked information, the distribution of the remaining information that has not been leaked on behalf of the attacker. That is, the estimating unit 11 includes a first database (referred to as a first DB 31) which is a part of the database 30 (for example, user's confidential information) and a second database which is a part of the database 30 other than the first DB 31. In a database (referred to as a second DB 32), assuming that the first DB 31 has leaked, a second distribution that is the data distribution of the second DB 32 is estimated based on the first distribution that is the data distribution of the first DB 31.

[Database Evaluation Apparatus 10: Example of Evaluation Based on Evaluation Index]
The judging unit 12 selects the data selected in the estimated distribution (distribution estimated on behalf of the attacker) q (x) estimated by the estimating unit 11 and the second distribution (distribution of secret information of the attack target user) p ( The average attack success probability, which is the probability of the successful attack in which the data selected in x) matches, is used as the evaluation index, and it is determined whether or not the database 30 is safe based on the evaluation index. More specifically, the determining unit 12 calculates the average attack success probability P _DGA of the _DGA from the second distribution p (x) and the estimated distribution q (x) according to the equation (4), and the database 30 is safe. Is determined.

If no information is leaked from the system, the attacker has no information on p (x), and therefore has no other choice but to execute DGA according to a uniform distribution on the discrete set χ. If | χ | = ²ⁿ , the attack success probability at that time can be represented by 2- ⁿ . Therefore, even if some confidential information is leaked, if P _DGA ≦ 2− ^n, it can be said that the security is the same as when no information is leaked. In this specification, the security at this time is defined as DGA security.

Further, the determining unit 12 determines that the database 30 is safe if the evaluation index is equal to or less than the probability of successful attack (2- ⁿ ), ^assuming that the estimated distribution is a uniform distribution.

  FIG. 2 is a flowchart illustrating an example of an evaluation process based on the evaluation index of the database evaluation device 10 according to an embodiment of the present invention. The database evaluation device 10 is configured by hardware included in a computer and its peripheral devices, and software that controls the hardware. The following process is a process executed by a control unit (for example, a CPU) according to predetermined software.

  In step S101, the CPU (estimating means 11) assumes that a part of the database 30 has leaked, and estimates the data distribution of the remaining part. More specifically, the CPU, when assuming that the first DB 31 has leaked in the first DB 31 that is a part of the database 30 and the second DB 32 that is a part other than the first DB 31 of the database 30, A second distribution, which is a data distribution of the second DB 32, is estimated based on a first distribution, which is a data distribution of 1DB31.

In step S102, the CPU (determination means 12) evaluates the security of the remaining portion using the average attack success probability based on the estimated distribution as an evaluation index. More specifically, the CPU calculates the average attack success probability P _DGA of the _DGA as an evaluation index by equation (4), and calculates the calculated evaluation index and the estimated distribution q (x) estimated in step S101. The probability that the attack succeeds when the distribution is ^likewise (2- ⁿ ) is compared, and when the evaluation index is equal to or less than the probability (2- ⁿ ), the database 30 is determined to be safe. Thereafter, the CPU ends the processing.

[Database Evaluation Device 10: Example of Evaluation Based on Distance]
Returning to FIG. 1, the determination based on the distance by the database evaluation device 10 will be described.
The database evaluation device 10 further includes a first distance calculation unit 13 and a second distance calculation unit 14.
The first distance calculating means 13 calculates a first distance (D) between the estimated distribution and the second distribution.
The second distance calculating means 14 calculates a second distance (E) between the uniform distribution and the second distribution.
The determining unit 12 determines that the database 30 is safe based on the distance between the estimated distribution and the second distribution.

Here, if X and Y are random variables on a discrete set 持 つ having p (x) and q (x) as probability functions, respectively, and H ₂ (X) = r and H ₂ (Y) = s, The one distance calculating means 13 calculates the first distance (D) by using the equation (2). The second distance calculating means 14 calculates the second distance (E) by using the equation (3).
When r ≦ s, the inequality (5) holds.

  The following shows that Expression (5) holds.

  That is, equation (5) holds.

From Equations (3) and (5), the following inequality holds when P _DGA ≦ 2- ⁿ .

Therefore, if r ≦ s and D (X, Y) ² ≧ 2E (X) ² can be achieved, it can be said that the system is DGA-safe, as in the definition of P _DGA ≦ 2- ⁿ .
That is, the determining unit 12 determines that the database 30 is safe when the first distance is equal to or more than a certain value based on the second distance.

  FIG. 3 is a flowchart illustrating an example of an evaluation process based on a distance of the database evaluation device 10 according to an embodiment of the present invention.

  In step S111, the CPU (estimating means 11) estimates the data distribution of the remaining part, assuming that a part of the database 30 has leaked. More specifically, the CPU, when assuming that the first DB 31 has leaked in the first DB 31 that is a part of the database 30 and the second DB 32 that is a part other than the first DB 31 of the database 30, A second distribution, which is a data distribution of the second DB 32, is estimated based on a first distribution, which is a data distribution of 1DB31.

  In step S112, the CPU (first distance calculation means 13) calculates the distance between the estimated distribution and the remaining part. More specifically, the CPU calculates the first distance (D) according to equation (2).

  In step S113, the CPU (second distance calculating means 14) calculates the distance between the uniform distribution and the remaining portion. More specifically, the CPU calculates the second distance (E) by Expression (3).

In step S114, the CPU (determination means 12) evaluates the safety of the remaining part based on the calculated distance. More specifically, the CPU determines that the first distance is equal to or greater than a predetermined value based on the second distance (when r ≦ s and D (X, Y) ² ≧ 2E (X) ² is satisfied). Then, it is determined that the database 30 is safe. Thereafter, the CPU ends the processing.

[Database partitioning device 20]
Next, returning to FIG. 1, the database dividing device 20 will be described.
The database dividing device 20 includes a dividing unit 21. Even if one of the divided first DBs 31 leaks and an attacker performs a DGA attack on the other second DB 32 based on the leaked first DB 31, the database 30 is DGA-safe. The database 30 is divided as is.
The database dividing device 20 divides and stores confidential information that is resistant to DGA, regardless of whether the first DB 31 or the second DB 32 leaks.

  The secret information (for example, a personal identification number and a password associated with the user) is divided into two databases (for example, a first DB 31 and a second DB 32) that are made into a cloud and stored in different storages.

The dividing unit 21 divides the database under the following three conditions.
Condition 1: The attacker uses a histogram as the distribution estimation algorithm Κ.
Condition 2: The resistance to DGA is the same regardless of which of the first DB 31 and the second DB 32 is leaked.
Condition 3: If neither the first DB 31 nor the second DB 32 is leaked, the first DB 31 and the second DB 32 are similarly sufficiently secure.

  The dividing means 21 generates a second order Renyi entropy of the first distribution, which is the data distribution of the first DB 31, in the first DB 31 which is a part of the database 30 and the second DB 32 which is a part other than the first DB 31 of the database 30. And the difference between the second distribution and the second-order Renyi entropy of the second distribution, which is the data distribution of the second DB 32, is within a predetermined range, and the number of classes is the same when the first distribution and the second distribution are represented in the histogram. Under the condition that the data is selected from the estimated distribution obtained by estimating the distribution of data included in the other database based on the distribution of data included in one of the first DB 31 or the second DB 32, and selected from the other database So that the probability that the attack on the other database succeeds by matching the data obtained is less than or equal to the predetermined value, Dividing the database 30 to the first 1DB31 and the 2DB32.

To make the difference between the second order Renyi entropy of the first distribution and the second order Renyi entropy of the second distribution within a predetermined range, for example, r = H ₂ (X ₁ ) = H ₂ (X ₂ ) It refers to the state. Thereby, the resistance to DGA is improved. In addition, the degree is the same regardless of whether the first DB 31 or the second DB 32 leaks.

Here, p ₁ (x) is a histogram of data included in the first DB 31 and p ₂ (x) is a histogram of data included in the second DB 32.
From condition 1, the estimated distribution q (x) of the attackers can be expressed as p2 (x) when the second DB 32 leaks, and p1 (x) when the first DB 31 leaks.
Let X ₁ and X _{2 be} random variables according to p ₁ (x) and p ₂ (x), respectively. Assuming that r = H ₂ (X ₁ ) = H ₂ (X ₂ ), the equality of equation (5) holds, so that the attack success probability P _DGA of the _DGA is the same regardless of whether the first DB 31 or the second DB 32 leaks. It can be expressed by equation (12).

In the present embodiment, it is assumed that the attacker uses the histogram as the distribution estimation algorithm according to the condition 1, but there is a possibility that a more effective algorithm is actually used. If the attacker can guess the same distribution as the distribution p (x) of the database of the attack target, D (X ₁ , X ₂ ) = 0, and the average attack success probability of the DGA can be expressed by 2- ^r . Therefore, the value of r needs to be sufficiently large. However, since it is assumed that H ₂ (X ₁ ) = H ₂ (X ₂ ), H ₂ (X ₁ ) and H ₂ (X ₂ ) are randomly assigned to the first DB 31 and the second DB 32. Each becomes the maximum. Therefore, r is set so as to satisfy Expression (13).
r = H ₂ (X ₁ ) = H ₂ (X ₂ ) = H (X) (13)
Here, X is a random variable according to the distribution of the total data of the first DB 31 and the second DB 32.

The dividing means 21 sets the difference between the second-order Renyi entropy of the first distribution and the second-order Renyi entropy of the second distribution and the second-order Renyi entropy of the data distribution in the database 30 to be within predetermined ranges, respectively. Split under the added conditions.
Specifically, in order to increase the security when the attacker can completely guess p (x), the dividing unit 21 performs the division under the added condition that r satisfies Expression (13). I do.

Considering Condition 3, Expression (14) is set in order to increase the resistance to DGA when the attacker has no information on p (x).
| Χ ₁ | = | χ ₂ | = | χ | (14)
Here, _{１ 1} and χ ₂ are a set of possible values of data of the first DB 31 and the second DB 32, and χ is a set of possible values of total data included in the first DB 31 and the second DB 32.
From the above, it can be seen that D (X ₁ , X ₂ ) in equation (12) should be increased under the conditions of equations (13) and (14) in order to improve the resistance to DGA.

That is, the dividing unit 21 determines that the distance between the first distribution and the second distribution is equal to or more than a certain value based on the distance between the first distribution or the second distribution and the uniform distribution (the above-described D (X, Y) ² ≧ 2E (X) ² ), the database 30 is divided into a first DB 31 and a second DB 32.

The dividing means 21 adds an additional condition that the number of classes when the first distribution and the second distribution are represented by a histogram is equal to the number of classes when the data distribution of the database 30 is represented by a histogram. Split under.
Specifically, the dividing unit 21 divides so as to satisfy Expression (14) in order to increase the resistance to DGA when the attacker has no information on p (x).

[Division algorithm]
Since the total number of divisions increases exponentially as the number of data increases, a division algorithm that solves efficiently will be described.

Here, c ₁ (x) and c ₂ (x) are the numbers of data taking the value x 値 included in the first DB 31 or the second DB 32, respectively. At this time, the number of data having the value x in the total data of the first DB 31 and the second DB 32 is given by c (x) = c ₁ (x) + c ₂ (x).
The partitioning algorithm obtains c ₁ (x) and c ₂ (x) that maximize the objective function using equation (15) as an objective function and equations (16) to (18) as constraints.

  The division algorithm includes procedures from initial setting to Step 4.

Initial setting: N pieces of secret information data are divided into a first DB 31 and a second DB 32 having the same size. However, division is performed so as to satisfy c ₁ (x) = c ₂ (x) in all x∈χ. Next, Δ = {δ (x) = c (x) −2} _(x∈χ) is created.

Step 1: x corresponding to the largest δ (x) ∈Δ is selected, and [δ (x) − | c ₁ (x) −c ₂ (x) |] / 2 data is transferred from the second DB 32 to the first DB 31. Move.

Step 2: [δ (x) − | c ₁ (x) −c ₂ (x) |] / 2 pieces of data are moved from the first DB 31 to the second DB 32 so as to satisfy Expression (16). However, this movement is performed by the greedy method.

The greedy method used in Step 2 will be described. The change amount of c ₂ (x) ² −c ₁ (x) ² when e data having the value x is moved from the first DB 31 to the second DB 32 can be expressed by the following equation.
[(C ₂ (x) + e) ^2- (c ₁ (x) -e) ² ]
− [C ₂ (x) ² −c ₁ (x) ² ] (19)
= 2 · [c ₂ (x) + c ₁ (x)] · e (20)
= 2 · c (x) · e (21)
Therefore, it can be seen that moving the data of x having a large c (x) can greatly change the value of the expression (22) by moving a small amount of data. For this reason, in the greedy method of Step 2, the data is moved in order from the data of x having the largest c (x).

  Step 3: Δ is updated as δ (x) = ⊥ (data end).

  However, if the data that satisfies the condition cannot be moved in Step 2, the state is returned to the state before performing Step 1 and Step 2, and Δ is updated as δ (x) = δ (x) −2.

  Step 4: The operation from Step 1 to Step 3 is repeated until all δ (x) of Δ become 0 or less or ⊥.

However, this step is performed according to the following conditions.
In Step 1, if c ₂ (x)> c ₁ (x) holds, data moves from the first DB 31 to the second DB 32. In this case, in Step 2, the process moves from the second DB 32 to the first DB 31.
In Step 1, when | c ₁ (x) −c ₂ (x) | ≧ δ (x) holds, the data relating to the x is not moved, and Δ (x) = ⊥ (data end) is set as Δ Is updated, and the process proceeds to the next process x.
In Step 2, only data of x of δ (x) ≠ ⊥ (end of data) is moved.

In this algorithm, the amount of calculation of the greedy method does not exceed N / 2. In addition, since the calculation amount of Step 3 is proportional to the number of updates of Δ, the worst case is N / 2 at most. Therefore, the worst case calculation amount of the present division algorithm is Ο (N ² ).

Next, the above-described division algorithm will be described with reference to a flowchart.
FIGS. 4 and 5 are flowcharts illustrating an example of a division algorithm of the database division device 20 according to an embodiment of the present invention. The database partitioning device 20 is configured by hardware included in a computer and its peripheral devices, and software that controls the hardware. The following process is a process executed by a control unit (for example, a CPU) according to predetermined software. Note that this process may be started when the database evaluation device 10 determines that a part of the database 30 is not secure.

In step S201, the CPU (division unit 21) performs initialization. More specifically, the CPU divides the N pieces of secret information data into the first DB 31 and the second DB 32 having the same size and creates Δ = {δ (x) = c (x) −2} (x}). I do. However, the CPU divides so that c ₁ (x) = c ₂ (x) in all x∈χ.

In step S202, the CPU (dividing means 21) selects x corresponding to the largest δ (x) ∈Δ, and | c ₁ (x) −c ₂ (x) | ≧ δ (x) holds. Determine whether or not. When this determination is YES, the CPU shifts the processing to step S207, and when this determination is NO, the CPU shifts the processing to step S203.

In step S203, the CPU (dividing means 21) determines whether c ₂ (x)> c ₁ (x) holds. When this determination is YES, the CPU shifts the processing to step S210, and when this determination is NO, the CPU shifts the processing to step S204.

In step S204, the CPU (dividing means 21) moves the data from the second DB 32 to the first DB 31. More specifically, the CPU moves [δ (x) − | c ₁ (x) −c ₂ (x) |] / 2 data from the second DB 32 to the first DB 31.

In step S205, the CPU (dividing means 21) moves data from the first DB 31 to the second DB 32 by the greedy method. More specifically, the CPU moves [δ (x) − | c ₁ (x) −c ₂ (x) |] / 2 data from the first DB 31 to the second DB 32 so as to satisfy Expression (16). Let it. The CPU moves the data having the value x from the first DB 31 to the second DB 32 in order from the data having the largest change amount of c ₂ (x) ² −c ₁ (x) ² (greedy method).

  In step S206, the CPU (division unit 21) determines whether or not the movement has been performed so as to satisfy Expression (16). If this determination is YES, the CPU shifts the processing to step S207. If this determination is NO, the CPU shifts the processing to step S208.

  In step S207, the CPU (division unit 21) updates Δ as δ (x) = ⊥ (data end). Thereafter, the CPU moves the processing to step S209.

  In step S208, the CPU (division unit 21) returns the data movement in steps S204 and S205 to the previous state, and updates Δ as δ (x) = δ (x) −2.

  In step S209, the CPU (division unit 21) determines whether all δ (x) of Δ are equal to or less than 0 or ⊥ (end of data). When this determination is YES, the CPU ends the process, and when this determination is NO, the CPU shifts the processing to step S202.

In step S210, the CPU (dividing means 21) moves data from the first DB 31 to the second DB 32. More specifically, the CPU moves [δ (x) − | c ₁ (x) −c ₂ (x) |] / 2 data from the first DB 31 to the second DB 32.

In step S211, the CPU (dividing means 21) moves data from the second DB 32 to the first DB 31 by the greedy method. More specifically, the CPU moves [δ (x) − | c ₁ (x) −c ₂ (x) |] / 2 data from the second DB 32 to the first DB 31 so as to satisfy Expression (16). Let it. CPU moves from a larger data ^{_{c 2 (x) 2 -c 1}} (x) 2 of the amount of change when the data take the value x is moved from the 2DB32 to the 1DB31 sequentially (greedy method).

  In step S212, the CPU (division unit 21) determines whether or not the movement has been performed so as to satisfy Expression (16). If this determination is YES, the CPU moves the process to step S213, and if this determination is NO, the CPU moves the process to step S214.

  In step S213, the CPU (division unit 21) updates Δ as δ (x) = ⊥ (data end). Thereafter, the CPU moves the processing to step S209.

  In step S214, the CPU (dividing means 21) returns the data movement in step S210 and step S211 to the previous state, and updates Δ as δ (x) = δ (x) -2. Thereafter, the CPU moves the processing to step S209.

  FIG. 6 is a diagram illustrating an example of histograms of the first DB 31 and the second DB 32 divided by the database dividing device 20 according to an embodiment of the present invention. The database 30 before being divided assumes that the secret information takes 32 different values, and stores 1000 data. However, those data are generated according to the standard normal distribution. In the data, the section [-3σ, 3σ] is equally divided into 32 sections, and each section is assigned a value of secret information.

  The example of FIG. 6 shows an example of the histograms of the first DB 31 and the second DB 32 obtained by dividing the database 30 by the division algorithm. The horizontal axis in FIG. 6 indicates the class of the secret information (reference numbers of possible values), and the vertical axis indicates the frequency. In the example of FIG. 6, the appearance frequency of data is largely different between the first DB 31 and the second DB 32 for almost all reference numbers. Therefore, the example of FIG. 6 shows that the secret information resistant to DGA is divided and stored by the database dividing device 20 even when either the first DB 31 or the second DB 32 is leaked. .

According to the present embodiment, the database evaluation device 10 assumes that the first DB 31 has leaked in the first DB 31 that is a part of the database 30 and the second DB 32 that is a part other than the first DB 31 of the database 30. In this case, based on the first distribution that is the data distribution of the first DB 31, the second distribution that is the data distribution of the second DB 32 is estimated, and the data selected in the estimated estimation distribution and the data that is selected in the second distribution are estimated. The average attack success probability, which is the probability of successful attack in accordance with the data, is used as an evaluation index, and whether or not the database 30 is safe is determined based on the evaluation index. The database evaluation device 10 determines that the database 30 is safe if the evaluation index is equal to or less than the probability of successful attack when the estimated distribution is assumed to be a uniform distribution. The database evaluation device 10 calculates a first distance between the estimated distribution and the second distribution, calculates a second distance between the uniform distribution and the second distribution, and calculates the second-order Lenny entropy of the estimated distribution as the second distribution. The database 30 is determined to be safe if the second distance is greater than or equal to the second Reny entropy and the first distance is greater than or equal to a certain value based on the second distance.
Therefore, when a part of the database 30 is leaked, the database evaluation device 10 can evaluate the security of the remaining part.

According to the present embodiment, the database dividing device 20 divides the database 30 so that the database is evaluated as safe by the database evaluating device 10. In the first DB 31 and the second DB 32 of the database 30, the database dividing device 20 generates a second order Renyi entropy of the first distribution that is the data distribution of the first DB 31 and a second Reny entropy of the second distribution that is the data distribution of the second DB 32. Under the condition that the difference from the next Rennie entropy is within a predetermined range and the number of classes is the same when the first distribution and the second distribution are represented in the histogram, the first distribution and the second distribution are equal. The database 30 is divided into a first DB 31 and a second DB 32 such that the distance to the distribution is equal to or greater than a certain value based on the distance between the first distribution or the second distribution and the uniform distribution.
Further, the database dividing device 20 sets the difference between the second order Renyi entropy of the first distribution and the second order Renyi entropy of the second distribution, and the difference between the second order Renyi entropy of the data distribution of the database 30 within a predetermined range. Split under the added condition of doing.
Further, the database dividing device 20 sets the number of classes when the first distribution and the second distribution are represented by a histogram and the number of classes when the data distribution of the database 30 is represented by a histogram, respectively. Split under the added conditions.
Further, the database dividing device 20 moves data by giving priority to a class having a large amount of change in the distance between the first DB 31 and the second DB 32 by the greedy method.
Therefore, when dividing the database 30, the database dividing device 20 can divide the database 30 so that even if one of the divided parts leaks, the other part is safe.
As described above, the present invention can evaluate the security when information leakage occurs. Further, the present invention can minimize the influence on the confidential information of the remaining users when the confidential information of some users leaks from the system. The present invention can provide a cloud platform specialized for a system that handles a large amount of confidential information.

  The embodiments of the present invention have been described above, but the present invention is not limited to the above-described embodiments. In addition, the effects described in the embodiments of the present invention merely enumerate the most preferable effects resulting from the present invention, and the effects of the present invention are limited to those described in the embodiments of the present invention. is not.

    A series of processes by the database evaluation device 10 or the database division device 20 can be performed by software. When a series of processing is performed by software, a program constituting the software is installed in a general-purpose computer or the like. In addition, the program may be recorded on a computer-readable recording medium (for example, a removable medium such as a CD-ROM) and distributed to the user, or may be downloaded to the user's computer via a network. May be distributed by

DESCRIPTION OF SYMBOLS 10 Database evaluation apparatus 11 Estimation means 12 Judgment means 13 1st distance calculation means 14 2nd distance calculation means 20 Database division apparatus 21 Division means 30 Database 31 1st DB
32 2nd DB

Claims (12)

A database evaluation device that evaluates a database that stores user secret information data,
A first database for storing secret information data of some of the users, the first database being a part of the database, and a part other than the first database of the database, And a second database that stores secret information data of the users other than the user, if it is assumed that the first database has leaked, based on a first distribution that is a data distribution of the first database, Estimating means for estimating a second distribution which is a data distribution of the second database using a distribution estimating algorithm;
The average attack success probability, which is the probability that the data selected in the guessed distribution guessed by the guessing means matches the data selected in the second distribution and succeed in the attack, is used as an evaluation index,
Determining means for determining whether the database is safe based on the evaluation index,
A database evaluation device comprising:   The said judgment means judges that the said database is safe, when the said evaluation parameter | index is below the probability of an attack succeeding, assuming that the said guess distribution is a uniform distribution, The said database is safe. Database evaluation device. First distance calculating means for calculating a first distance between the estimated distribution and the second distribution;
A second distance calculating means for calculating a second distance between the uniform distribution and the second distribution,
The determining means replaces the determination based on the evaluation index with a second-order Renyi entropy of the estimated distribution that is equal to or greater than a second-order Renyi entropy of the second distribution, and the first distance is the first The database evaluation device according to claim 1, wherein the database is determined to be safe if the distance is equal to or greater than a value obtained by multiplying the two distances by a predetermined coefficient . A database dividing device that divides a database that stores user secret information data,
A first database for storing secret information data of some of the users, the first database being a part of the database, and a part other than the first database of the database, A second database that stores confidential information data of the users other than the second user, a second-order Renyi entropy of a first distribution that is a data distribution of the first database, and a second Reny entropy that is a data distribution of the second database. Under the condition that the difference between the distribution and the second-order Reny's entropy is within a predetermined range, and the number of classes is the same when the first distribution and the second distribution are represented in a histogram,
Data selected from an estimated distribution obtained by estimating a data distribution included in the other database using an arbitrary distribution estimation algorithm based on a data distribution included in one of the first database and the second database; and A dividing unit that divides the database into the first database and the second database so that the probability that the data selected from the database matches and the attack on the other database succeeds is equal to or less than a predetermined value. ,
Database partitioning device.   The dividing means stores the database such that a distance between the first distribution and the second distribution is equal to or greater than a certain value based on a distance between the first distribution or the second distribution and a uniform distribution. The database dividing apparatus according to claim 4, wherein the database is divided into a first database and the second database.   The dividing means sets a difference between a second-order Renyi entropy of the first distribution and a second-order Renyi entropy of the second distribution and a second-order Renyi entropy of the data distribution of the database within a predetermined range. The database dividing apparatus according to claim 4, wherein the division is performed under the further added condition.   The dividing means sets the number of classes when the first distribution and the second distribution are represented in a histogram and the number of classes when the data distribution of the database is represented in a histogram, respectively. The database dividing apparatus according to claim 4, wherein the division is performed under the added condition.   The database according to any one of claims 4 to 7, wherein the division unit moves data by giving priority to a class having a large amount of change in distance between the first database and the second database by a greedy method. Splitting device. A method performed by the database evaluation device according to claim 1, wherein
The estimating means is a part of the database, a first database storing secret information data of some of the users, and a part of the database other than the first database. And in a second database storing secret information data of the users other than the some users, when it is assumed that the first database has been leaked, the first distribution is a data distribution of the first database. An estimation step of estimating a second distribution, which is a data distribution of the second database, using an arbitrary distribution estimation algorithm,
The evaluation means uses, as an evaluation index, an average attack success probability, which is a probability that the data selected in the guessed distribution estimated in the guessing step matches the data selected in the second distribution and the attack succeeds. A determination step of determining whether the database is safe based on the evaluation index;
A method comprising: A method performed by the database partitioning apparatus according to claim 4, wherein
The dividing means is a part of the database, a first database storing secret information data of some of the users, and a part of the database other than the first database. A second database that stores secret information data of the users other than the some users; a second-order Renyi entropy of a first distribution that is a data distribution of the first database; and a data of the second database. A condition that the difference between the second distribution and the second-order Reny's entropy of the second distribution is within a predetermined range, and the number of classes is the same when the first distribution and the second distribution are represented in a histogram. Under
Data selected from an estimated distribution obtained by estimating a data distribution included in the other database using an arbitrary distribution estimation algorithm based on a data distribution included in one of the first database and the second database; and A dividing step of dividing the database into the first database and the second database such that a probability that an attack on the other database is successful by matching data selected from the database is equal to or less than a predetermined value. ,
Method. A program for causing the database evaluation device to execute each step of the method according to claim 9. A program for causing the database dividing device to execute each step of the method according to claim 10.

Images